3 * Copyright (c) 1997 - 2011 Kungliga Tekniska Högskolan
4 * (Royal Institute of Technology, Stockholm, Sweden).
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the Institute nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * free all the memory used by (len, keys)
42 hdb_free_keys(krb5_context context
, int len
, Key
*keys
)
46 for (i
= 0; i
< len
; i
++) {
49 if (keys
[i
].salt
!= NULL
) {
50 free_Salt(keys
[i
].salt
);
54 krb5_free_keyblock_contents(context
, &keys
[i
].key
);
60 * for each entry in `default_keys' try to parse it as a sequence
61 * of etype:salttype:salt, syntax of this if something like:
62 * [(des|des3|etype):](pw-salt|afs3)[:string], if etype is omitted it
63 * means all etypes, and if string is omitted is means the default
64 * string (for that principal). Additional special values:
67 * afs or afs3 == des:afs3-salt
70 static const krb5_enctype des_etypes
[] = {
71 KRB5_ENCTYPE_DES_CBC_MD5
,
72 KRB5_ENCTYPE_DES_CBC_MD4
,
73 KRB5_ENCTYPE_DES_CBC_CRC
76 static const krb5_enctype all_etypes
[] = {
77 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
,
78 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
,
79 KRB5_ENCTYPE_DES3_CBC_SHA1
82 static krb5_error_code
83 parse_key_set(krb5_context context
, const char *key
,
84 krb5_enctype
**ret_enctypes
, size_t *ret_num_enctypes
,
85 krb5_salt
*salt
, krb5_principal principal
)
90 int i
, num_enctypes
= 0;
92 const krb5_enctype
*enctypes
= NULL
;
98 *ret_num_enctypes
= 0;
100 /* split p in a list of :-separated strings */
101 for(num_buf
= 0; num_buf
< 3; num_buf
++)
102 if(strsep_copy(&p
, ":", buf
[num_buf
], sizeof(buf
[num_buf
])) == -1)
105 salt
->saltvalue
.data
= NULL
;
106 salt
->saltvalue
.length
= 0;
108 for(i
= 0; i
< num_buf
; i
++) {
109 if(enctypes
== NULL
&& num_buf
> 1) {
110 /* this might be a etype specifier */
111 /* XXX there should be a string_to_etypes handling
112 special cases like `des' and `all' */
113 if(strcmp(buf
[i
], "des") == 0) {
114 enctypes
= des_etypes
;
115 num_enctypes
= sizeof(des_etypes
)/sizeof(des_etypes
[0]);
116 } else if(strcmp(buf
[i
], "des3") == 0) {
117 e
= KRB5_ENCTYPE_DES3_CBC_SHA1
;
121 ret
= krb5_string_to_enctype(context
, buf
[i
], &e
);
130 if(salt
->salttype
== 0) {
131 /* interpret string as a salt specifier, if no etype
132 is set, this sets default values */
133 /* XXX should perhaps use string_to_salttype, but that
135 if(strcmp(buf
[i
], "pw-salt") == 0) {
136 if(enctypes
== NULL
) {
137 enctypes
= all_etypes
;
138 num_enctypes
= sizeof(all_etypes
)/sizeof(all_etypes
[0]);
140 salt
->salttype
= KRB5_PW_SALT
;
141 } else if(strcmp(buf
[i
], "afs3-salt") == 0) {
142 if(enctypes
== NULL
) {
143 enctypes
= des_etypes
;
144 num_enctypes
= sizeof(des_etypes
)/sizeof(des_etypes
[0]);
146 salt
->salttype
= KRB5_AFS3_SALT
;
152 /* if there is a final string, use it as the string to
153 salt with, this is mostly useful with null salt for
154 v4 compat, and a cell name for afs compat */
155 salt
->saltvalue
.data
= strdup(buf
[i
]);
156 if (salt
->saltvalue
.data
== NULL
) {
157 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
160 salt
->saltvalue
.length
= strlen(buf
[i
]);
164 if(enctypes
== NULL
|| salt
->salttype
== 0) {
165 krb5_set_error_message(context
, EINVAL
, "bad value for default_keys `%s'", key
);
169 /* if no salt was specified make up default salt */
170 if(salt
->saltvalue
.data
== NULL
) {
171 if(salt
->salttype
== KRB5_PW_SALT
)
172 ret
= krb5_get_pw_salt(context
, principal
, salt
);
173 else if(salt
->salttype
== KRB5_AFS3_SALT
) {
174 krb5_const_realm realm
= krb5_principal_get_realm(context
, principal
);
175 salt
->saltvalue
.data
= strdup(realm
);
176 if(salt
->saltvalue
.data
== NULL
) {
177 krb5_set_error_message(context
, ENOMEM
,
178 "out of memory while "
179 "parsing salt specifiers");
182 strlwr(salt
->saltvalue
.data
);
183 salt
->saltvalue
.length
= strlen(realm
);
187 *ret_enctypes
= malloc(sizeof(enctypes
[0]) * num_enctypes
);
188 if (*ret_enctypes
== NULL
) {
189 krb5_free_salt(context
, *salt
);
190 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
193 memcpy(*ret_enctypes
, enctypes
, sizeof(enctypes
[0]) * num_enctypes
);
194 *ret_num_enctypes
= num_enctypes
;
201 * This function adds an HDB entry's current keyset to the entry's key
202 * history. The current keyset is left alone; the caller is responsible
205 * @param context Context
206 * @param entry HDB entry
209 hdb_add_current_keys_to_history(krb5_context context
, hdb_entry
*entry
)
211 krb5_boolean replace
= FALSE
;
218 ext
= hdb_find_extension(entry
, choice_HDB_extension_data_hist_keys
);
221 ext
= calloc(1, sizeof (*ext
));
223 return krb5_enomem(context
);
225 ext
->data
.element
= choice_HDB_extension_data_hist_keys
;
229 * Copy in newest old keyset
232 ret
= hdb_entry_get_pw_change_time(entry
, &newtime
);
236 memset(&newkey
, 0, sizeof(newkey
));
237 newkey
.keys
= entry
->keys
;
238 newkey
.kvno
= entry
->kvno
;
239 newkey
.set_time
= &newtime
;
241 ret
= add_HDB_Ext_KeySet(&ext
->data
.u
.hist_keys
, &newkey
);
246 /* hdb_replace_extension() deep-copies ext; what a waste */
247 ret
= hdb_replace_extension(context
, entry
, ext
);
253 if (replace
&& ext
) {
254 free_HDB_extension(ext
);
261 static krb5_error_code
262 add_enctype_to_key_set(Key
**key_set
, size_t *nkeyset
,
263 krb5_enctype enctype
, krb5_salt
*salt
)
268 memset(&key
, 0, sizeof(key
));
270 tmp
= realloc(*key_set
, (*nkeyset
+ 1) * sizeof((*key_set
)[0]));
276 key
.key
.keytype
= enctype
;
277 key
.key
.keyvalue
.length
= 0;
278 key
.key
.keyvalue
.data
= NULL
;
281 key
.salt
= calloc(1, sizeof(*key
.salt
));
282 if (key
.salt
== NULL
) {
287 key
.salt
->type
= salt
->salttype
;
288 krb5_data_zero (&key
.salt
->salt
);
290 ret
= krb5_data_copy(&key
.salt
->salt
,
291 salt
->saltvalue
.data
,
292 salt
->saltvalue
.length
);
300 (*key_set
)[*nkeyset
] = key
;
310 ks_tuple2str(krb5_context context
, int n_ks_tuple
,
311 krb5_key_salt_tuple
*ks_tuple
, char ***ks_tuple_strs
)
316 krb5_error_code rc
= KRB5_PROG_ETYPE_NOSUPP
;
318 *ks_tuple_strs
= NULL
;
322 if ((ksnames
= calloc(n_ks_tuple
, sizeof (*ksnames
))) == NULL
)
325 for (i
= 0; i
< n_ks_tuple
; i
++) {
326 if (krb5_enctype_to_string(context
, ks_tuple
[i
].ks_enctype
, &ename
))
328 if (krb5_salttype_to_string(context
, ks_tuple
[i
].ks_enctype
,
329 ks_tuple
[i
].ks_salttype
, &sname
))
332 if (asprintf(&ksnames
[i
], "%s:%s", ename
, sname
) == -1) {
342 *ks_tuple_strs
= ksnames
;
346 for (i
= 0; i
< n_ks_tuple
; i
++)
353 * Generate the `key_set' from the [kadmin]default_keys statement. If
354 * `no_salt' is set, salt is not important (and will not be set) since
355 * it's random keys that is going to be created.
359 hdb_generate_key_set(krb5_context context
, krb5_principal principal
,
360 int n_ks_tuple
, krb5_key_salt_tuple
*ks_tuple
,
361 Key
**ret_key_set
, size_t *nkeyset
, int no_salt
)
363 char **ktypes
= NULL
;
368 char **ks_tuple_strs
;
369 static const char *default_keytypes
[] = {
370 "aes256-cts-hmac-sha1-96:pw-salt",
371 "des3-cbc-sha1:pw-salt",
372 "arcfour-hmac-md5:pw-salt",
376 if ((ret
= ks_tuple2str(context
, n_ks_tuple
, ks_tuple
, &ks_tuple_strs
)))
379 if (ks_tuple_strs
== NULL
)
380 ktypes
= krb5_config_get_strings(context
, NULL
, "kadmin",
381 "default_keys", NULL
);
383 ktypes
= (char **)(intptr_t)default_keytypes
;
385 *ret_key_set
= key_set
= NULL
;
388 for(kp
= ktypes
; kp
&& *kp
; kp
++) {
391 krb5_enctype
*enctypes
;
396 if(strcmp(p
, "v5") == 0)
398 else if(strcmp(p
, "v4") == 0)
400 else if(strcmp(p
, "afs") == 0 || strcmp(p
, "afs3") == 0)
402 else if (strcmp(p
, "arcfour-hmac-md5") == 0)
403 p
= "arcfour-hmac-md5:pw-salt";
405 memset(&salt
, 0, sizeof(salt
));
407 ret
= parse_key_set(context
, p
,
408 &enctypes
, &num_enctypes
, &salt
, principal
);
410 krb5_warn(context
, ret
, "bad value for default_keys `%s'", *kp
);
415 for (i
= 0; i
< num_enctypes
; i
++) {
416 /* find duplicates */
417 for (j
= 0; j
< *nkeyset
; j
++) {
421 if (k
->key
.keytype
== enctypes
[i
]) {
424 if (k
->salt
== NULL
&& salt
.salttype
== KRB5_PW_SALT
)
426 if (k
->salt
->type
== salt
.salttype
&&
427 k
->salt
->salt
.length
== salt
.saltvalue
.length
&&
428 memcmp(k
->salt
->salt
.data
, salt
.saltvalue
.data
,
429 salt
.saltvalue
.length
) == 0)
433 /* not a duplicate, lets add it */
435 ret
= add_enctype_to_key_set(&key_set
, nkeyset
, enctypes
[i
],
436 no_salt
? NULL
: &salt
);
439 krb5_free_salt(context
, salt
);
445 krb5_free_salt(context
, salt
);
448 *ret_key_set
= key_set
;
451 if (ktypes
!= (char **)(intptr_t)default_keytypes
)
452 krb5_config_free_strings(ktypes
);
455 krb5_warn(context
, ret
,
456 "failed to parse the [kadmin]default_keys values");
458 for (i
= 0; i
< *nkeyset
; i
++)
459 free_Key(&key_set
[i
]);
461 } else if (*nkeyset
== 0) {
463 "failed to parse any of the [kadmin]default_keys values");
464 ret
= EINVAL
; /* XXX */
472 hdb_generate_key_set_password(krb5_context context
,
473 krb5_principal principal
,
474 const char *password
,
475 Key
**keys
, size_t *num_keys
)
480 ret
= hdb_generate_key_set(context
, principal
, 0, NULL
,
485 for (i
= 0; i
< (*num_keys
); i
++) {
488 salt
.salttype
= (*keys
)[i
].salt
->type
;
489 salt
.saltvalue
.length
= (*keys
)[i
].salt
->salt
.length
;
490 salt
.saltvalue
.data
= (*keys
)[i
].salt
->salt
.data
;
492 ret
= krb5_string_to_key_salt (context
,
493 (*keys
)[i
].key
.keytype
,
503 hdb_free_keys (context
, *num_keys
, *keys
);